From: "Konrad Weihmann" <kweihmann@outlook.com>
To: akuster808 <akuster808@gmail.com>, yocto@lists.yoctoproject.org
Subject: Re: [yocto] [meta-security][meta-hardening][PATCH] meta-harden: Add a layer to demo harding OE/YP
Date: Sun, 2 Aug 2020 22:58:10 +0200 [thread overview]
Message-ID: <AM7PR05MB6881652BB7B952764B0EB37FA84C0@AM7PR05MB6881.eurprd05.prod.outlook.com> (raw)
In-Reply-To: <b1652b2a-4eee-8d89-313e-ccefb7227af3@gmail.com>
Hi Armin,
that sounds good. Please keep me in the loop.
BTW did you/the project create any kind of roadmap, just out of interest?
BR
Konrad
On 02.08.20 17:24, akuster808 wrote:
>
>
> On 8/2/20 2:47 AM, Konrad Weihmann wrote:
>> Hi,
>>
>> is this just a demo, or are there plans to broaden the scope of this
>> layer?
>
> There are plans to broaden it. Some of this was came from another
> layer I have which did not belong.
>
>> To me it would make perfectly sense to have more of these features
>> (besides sudo, openssh and root-pwd) and I'm willing to contribute, if
>> this is something that will be actively pursued by the project.
> That would be awesome and welcome.
>
>> IMHO this should be become a core feature (DISTRO_FEATURE for example)
>> than having it separately
>
> I need a DISTRO_FEATURE to have this work with the layer this work came
> from. I have a DISTRO_FEATURE support almost working.
>
>>
>> Regards
>> Konrad
>>
>> On 26.07.20 22:10, akuster wrote:
>>> diff --git a/meta-hardening/README b/meta-hardening/README
>>> new file mode 100644
>>> index 0000000..37a0b7e
>>> --- /dev/null
>>> +++ b/meta-hardening/README
>>> @@ -0,0 +1,86 @@
>>> +# This is an example for Security hardening an OE or Poky image
>>> +
>>> +
>>> +Meta-hardening
>>> +=============
>>> +
>>> +This layer provides examples for hardening OE/Yocto images.
>>> +This layer does not provide 100% security protection. This is only
>>> +a framework from which a user can build from and can possible
>>> contribute to.
>>> +The goal here is to capture use cases and examples the community
>>> decided shares for
>>> +everyones benefit.
>>> +
>>> +Building the meta-hardening layer
>>> +-------------------------------
>>> +In order to add hardening support to the poky/OE build this layer
>>> should be added
>>> +to your projects bblayers.conf file.
>>> +
>>> +By default the hardening components are disabled. This conforms to the
>>> +Yocto Project compatible guideline that indicate that simply
>>> including a
>>> +layer should not change the system behavior.
>>> +
>>> +In order to use the components in this layer to take affect the
>>> 'harden' keyword must
>>> +set the DISTRO as in "DISTRO = harden". This enables the "NO ROOT
>>> access" idea or framework.
>>> +
>>> +If one wants the a more complete example of a hardened image, one
>>> must also build the image:
>>> +harden-image-minimal
>>> +
>>> +There are default example userid and passwards:
>>> +These can be over written in your local.conf via:
>>> +ROOT_DEFAULT_PASSWORD ?= "1SimplePw!"
>>> +DEFAULT_ADMIN_ACCOUNT ?= "myadmin"
>>> +
>>> +example:
>>> +local.conf
>>> +DISTRO = "harden"
>>> +
>>> +The default user and password are:
>>> +User: "myadmin"
>>> +Password: "1SimplePw!"
>>> +
>>> +bitbake {qemu machine} harden-image-minimal
>>> +
>>> +Dependencies
>>> +============
>>> +
>>> +Branch: master
>>> +
>>> +This layer depends on:
>>> +
>>> +URI: git://git.yoctoproject.org/poky
>>> +
>>> +or this normal combo:
>>> +
>>> +URI: git://git.openembedded.org/meta-openembedded/meta-oe
>>> +
>>> +URI: git://git.openembedded.org/bitbake
>>> +
>>> +plus:
>>> +
>>> +URI: git://git.openembedded.org/meta-openembedded
>>> +layers: meta-oe
>>> +
>>> +
>>> +Maintenance
>>> +-----------
>>> +
>>> +Send pull requests, patches, comments or questions to
>>> yocto@yoctoproject.org
>>> +
>>> +When sending single patches, please using something like:
>>> +'git send-email -1 --to yocto@yoctoproject.org
>>> --subject-prefix=meta-hardening][PATCH'
>>> +
>>> +These values can be set as defaults for this repository:
>>> +
>>> +$ git config sendemail.to yocto@yoctoproject.org
>>> +$ git config format.subjectPrefix meta-hardening][PATCH
>>> +
>>> +Now you can just do 'git send-email origin/master' to send all local
>>> patches.
>>> +
>>> +Maintainers: Armin Kuster <akuster808@gmail.com>
>>> +
>>> +License
>>> +=======
>>> +
>>> +All metadata is MIT licensed unless otherwise stated. Source code
>>> included
>>> +in tree for individual recipes is under the LICENSE stated in each
>>> recipe
>>> +(.bb file) unless otherwise stated.
>>> diff --git a/meta-hardening/conf/distro/harden.conf
>>> b/meta-hardening/conf/distro/harden.conf
>>> new file mode 100644
>>> index 0000000..66db9b7
>>> --- /dev/null
>>> +++ b/meta-hardening/conf/distro/harden.conf
>>> @@ -0,0 +1,11 @@
>>> +DISTRO = "harden"
>>> +DISTRO_NAME = "Simple Security hardening example"
>>> +DISTRO_VERSION = "1.0"
>>> +
>>> +DISTRO_FEATURES = " acl xattr pci ext2 pam ipv4 ipv6 ipsec largefile
>>> usbhost"
>>> +
>>> +VIRTUAL-RUNTIME_base-utils-syslog ?= "rsyslog"
>>> +IMAGE_ROOTFS_EXTRA_SPACE = "524288"
>>> +EXTRA_IMAGE_FEATURES_remove = "debug-tweaks"
>>> +
>>> +DISABLE_ROOT ?= "True"
>>> diff --git a/meta-hardening/conf/layer.conf
>>> b/meta-hardening/conf/layer.conf
>>> new file mode 100644
>>> index 0000000..5896214
>>> --- /dev/null
>>> +++ b/meta-hardening/conf/layer.conf
>>> @@ -0,0 +1,13 @@
>>> +# We have a conf and classes directory, add to BBPATH
>>> +BBPATH .= ":${LAYERDIR}"
>>> +
>>> +# We have a recipes directory, add to BBFILES
>>> +BBFILES += "${LAYERDIR}/recipes*/*/*.bb
>>> ${LAYERDIR}/recipes*/*/*.bbappend"
>>> +
>>> +BBFILE_COLLECTIONS += "harden-layer"
>>> +BBFILE_PATTERN_harden-layer = "^${LAYERDIR}/"
>>> +BBFILE_PRIORITY_harden-layer = "10"
>>> +
>>> +LAYERSERIES_COMPAT_harden-layer = "dunfell"
>>> +
>>> +LAYERDEPENDS_harden-layer = "core openembedded-layer"
>>> diff --git
>>> a/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend
>>> b/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend
>>> new file mode 100644
>>> index 0000000..67be3f3
>>> --- /dev/null
>>> +++ b/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend
>>> @@ -0,0 +1,13 @@
>>> +do_install_append_harden () {
>>> + # to hardend
>>> + sed -i -e 's:#AllowTcpForwarding yes:AllowTcpForwarding no:'
>>> ${D}${sysconfdir}/ssh/sshd_config
>>> + sed -i -e 's:ClientAliveCountMax 4:ClientAliveCountMax 2:'
>>> ${D}${sysconfdir}/ssh/sshd_config
>>> + sed -i -e 's:#LogLevel INFO:LogLevel VERBOSE:'
>>> ${D}${sysconfdir}/ssh/sshd_config
>>> + sed -i -e 's:#MaxSessions.*:MaxSessions 2:'
>>> ${D}${sysconfdir}/ssh/sshd_config
>>> + sed -i -e 's:#TCPKeepAlive yes:TCPKeepAlive no:'
>>> ${D}${sysconfdir}/ssh/sshd_config
>>> + sed -i -e 's:#AllowAgentForwarding yes:AllowAgentForwarding no:'
>>> ${D}${sysconfdir}/ssh/sshd_config
>>> +
>>> + if [ "${@bb.utils.contains('DISABLE_ROOT', 'True', 'yes', 'no',
>>> d)}" = "yes" ]; then
>>> + sed -i -e 's:#PermitRootLogin.*:PermitRootLogin
>>> prohibit-password:' ${D}${sysconfdir}/ssh/sshd_config
>>> + fi
>>> +}
>>> diff --git
>>> a/meta-hardening/recipes-core/base-files/base-files_%.bbappend
>>> b/meta-hardening/recipes-core/base-files/base-files_%.bbappend
>>> new file mode 100644
>>> index 0000000..3956304
>>> --- /dev/null
>>> +++ b/meta-hardening/recipes-core/base-files/base-files_%.bbappend
>>> @@ -0,0 +1,4 @@
>>> +
>>> +do_install_append_harden () {
>>> + sed -i 's/umask.*/umask 027/g' ${D}/${sysconfdir}/profile
>>> +}
>>> diff --git
>>> a/meta-hardening/recipes-core/images/harden-image-minimal.bb
>>> b/meta-hardening/recipes-core/images/harden-image-minimal.bb
>>> new file mode 100644
>>> index 0000000..daed3fb
>>> --- /dev/null
>>> +++ b/meta-hardening/recipes-core/images/harden-image-minimal.bb
>>> @@ -0,0 +1,25 @@
>>> +SUMMARY = "A small image for an example hardening OE."
>>> +
>>> +IMAGE_INSTALL = "packagegroup-core-boot packagegroup-hardening"
>>> +IMAGE_INSTALL_append = " os-release"
>>> +
>>> +IMAGE_FEATURES = ""
>>> +IMAGE_LINGUAS = " "
>>> +
>>> +LICENSE = "MIT"
>>> +
>>> +IMAGE_ROOTFS_SIZE ?= "8192"
>>> +
>>> +inherit core-image extrausers
>>> +
>>> +ROOT_DEFAULT_PASSWORD ?= "1SimplePw!"
>>> +DEFAULT_ADMIN_ACCOUNT ?= "myadmin"
>>> +DEFAULT_ADMIN_GROUP ?= "wheel"
>>> +DEFAULT_ADMIN_ACCOUNT_PASSWORD ?= "1SimplePw!"
>>> +
>>> +EXTRA_USERS_PARAMS = "${@bb.utils.contains('DISABLE_ROOT', 'True',
>>> "usermod -L root;", "usermod -P '${ROOT_DEFAULT_PASSWORD}' root;", d)}"
>>> +
>>> +EXTRA_USERS_PARAMS += "useradd ${DEFAULT_ADMIN_ACCOUNT};"
>>> +EXTRA_USERS_PARAMS += "groupadd ${DEFAULT_ADMIN_GROUP};"
>>> +EXTRA_USERS_PARAMS += "usermod -P
>>> '${DEFAULT_ADMIN_ACCOUNT_PASSWORD}' ${DEFAULT_ADMIN_ACCOUNT};"
>>> +EXTRA_USERS_PARAMS += "usermod -aG ${DEFAULT_ADMIN_GROUP}
>>> ${DEFAULT_ADMIN_ACCOUNT};"
>>> diff --git
>>> a/meta-hardening/recipes-core/initscripts/files/mountall.sh
>>> b/meta-hardening/recipes-core/initscripts/files/mountall.sh
>>> new file mode 100755
>>> index 0000000..e093f96
>>> --- /dev/null
>>> +++ b/meta-hardening/recipes-core/initscripts/files/mountall.sh
>>> @@ -0,0 +1,41 @@
>>> +#!/bin/sh
>>> +### BEGIN INIT INFO
>>> +# Provides: mountall
>>> +# Required-Start: mountvirtfs
>>> +# Required-Stop:
>>> +# Default-Start: S
>>> +# Default-Stop:
>>> +# Short-Description: Mount all filesystems.
>>> +# Description:
>>> +### END INIT INFO
>>> +
>>> +. /etc/default/rcS
>>> +
>>> +#
>>> +# Mount local filesystems in /etc/fstab. For some reason, people
>>> +# might want to mount "proc" several times, and mount -v complains
>>> +# about this. So we mount "proc" filesystems without -v.
>>> +#
>>> +test "$VERBOSE" != no && echo "Mounting local filesystems..."
>>> +mkdir -p /home
>>> +mkdir -p /var
>>> +mount -at nonfs,nosmbfs,noncpfs 2>/dev/null
>>> +
>>> +#
>>> +# We might have mounted something over /dev, see if /dev/initctl is
>>> there.
>>> +#
>>> +if test ! -p /dev/initctl
>>> +then
>>> + rm -f /dev/initctl
>>> + mknod -m 600 /dev/initctl p
>>> +fi
>>> +kill -USR1 1
>>> +
>>> +#
>>> +# Execute swapon command again, in case we want to swap to
>>> +# a file on a now mounted filesystem.
>>> +#
>>> +[ -x /sbin/swapon ] && swapon -a
>>> +
>>> +: exit 0
>>> +
>>> diff --git
>>> a/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend
>>> b/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend
>>> new file mode 100644
>>> index 0000000..896b039
>>> --- /dev/null
>>> +++ b/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend
>>> @@ -0,0 +1,8 @@
>>> +FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
>>> +
>>> +SRC_URI_append_harden = " file://mountall.sh"
>>> +
>>> +do_install_append_harden() {
>>> + install -d ${D}${sysconfdir}/init.d
>>> + install -m 0755 ${WORKDIR}/mountall.sh ${D}${sysconfdir}/init.d
>>> +}
>>> diff --git
>>> a/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb
>>> b/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb
>>> new file mode 100644
>>> index 0000000..1dcd5fc
>>> --- /dev/null
>>> +++
>>> b/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb
>>> @@ -0,0 +1,19 @@
>>> +#
>>> +#
>>> +#
>>> +
>>> +SUMMARY = "Hardening example group"
>>> +
>>> +inherit packagegroup
>>> +
>>> +PROVIDES = "${PACKAGES}"
>>> +PACKAGES = "${PN} \
>>> + packagegroup-${PN} \
>>> +"
>>> +
>>> +RDEPENDS_${PN} = "\
>>> + init-ifupdown \
>>> + ${VIRTUAL-RUNTIME_base-utils-syslog} \
>>> + sudo \
>>> + ${@bb.utils.contains("DISTRO_FEATURES", "pam",
>>> "pam-plugin-wheel", "",d)} \
>>> +"
>>> diff --git a/meta-hardening/recipes-extended/shadow/shadow_%.bbappend
>>> b/meta-hardening/recipes-extended/shadow/shadow_%.bbappend
>>> new file mode 100644
>>> index 0000000..3f363f0
>>> --- /dev/null
>>> +++ b/meta-hardening/recipes-extended/shadow/shadow_%.bbappend
>>> @@ -0,0 +1,10 @@
>>> +do_install_append_harden () {
>>> + # to hardend
>>> + sed -i -e 's:UMASK.*:UMASK 027:' ${D}${sysconfdir}/login.defs
>>> + sed -i -e 's:PASS_MAX_DAYS.*:PASS_MAX_DAYS 365:'
>>> ${D}${sysconfdir}/login.defs
>>> + sed -i -e 's:PASS_MIN_DAYS.*:PASS_MIN_DAYS 1:'
>>> ${D}${sysconfdir}/login.defs
>>> + sed -i -e 's:#PASS_MIN_LEN.*:PASS_MIN_LEN 11:'
>>> ${D}${sysconfdir}/login.defs
>>> + sed -i -e 's:PASS_WARN_AGE.*:PASS_WARN_AGE 14:'
>>> ${D}${sysconfdir}/login.defs
>>> + sed -i -e 's:LOGIN_RETRIES.*:LOGIN_RETRIES 3:'
>>> ${D}${sysconfdir}/login.defs
>>> + sed -i -e 's:LOGIN_TIMEOUT.*:LOGIN_TIMEOUT 30:'
>>> ${D}${sysconfdir}/login.defs
>>> +}
>>> diff --git a/meta-hardening/recipes-extended/sudo/sudo_%.bbappend
>>> b/meta-hardening/recipes-extended/sudo/sudo_%.bbappend
>>> new file mode 100644
>>> index 0000000..a31c081
>>> --- /dev/null
>>> +++ b/meta-hardening/recipes-extended/sudo/sudo_%.bbappend
>>> @@ -0,0 +1,7 @@
>>> +
>>> +PACKAGECONFIG_append_harden = " pam-wheel"
>>> +do_install_append_harden () {
>>> + if [ "${@bb.utils.contains('DISABLE_ROOT', 'True', 'yes', 'no',
>>> d)}" = "yes" ]; then
>>> + sed -i -e 's:root ALL=(ALL) ALL:#root ALL=(ALL) ALL:'
>>> ${D}${sysconfdir}/sudoers
>>> + fi
>>> +}
>>>
>>>
>>>
>>>
>>
>>
>
prev parent reply other threads:[~2020-08-02 20:58 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-26 20:10 [meta-security][meta-hardening][PATCH] meta-harden: Add a layer to demo harding OE/YP akuster
2020-08-02 9:47 ` [yocto] " Konrad Weihmann
2020-08-02 15:24 ` akuster
2020-08-02 20:58 ` Konrad Weihmann [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=AM7PR05MB6881652BB7B952764B0EB37FA84C0@AM7PR05MB6881.eurprd05.prod.outlook.com \
--to=kweihmann@outlook.com \
--cc=akuster808@gmail.com \
--cc=yocto@lists.yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.